Category Archives: Cloud Computing

At least 16 NHS trusts out of 47 that were hit by the ransomware attack continue to face problems, according to BBC research.

And, as some patients continued to have their cancer treatments postponed, Tory, Labour and Lib-dem politicians told of their plans to spend more money on NHS IT.

But will any new money promised by government focus on basic weaknesses – such as the lack of interoperability and the structural complexities that made the health service vulnerable to cyber attack?

Last year when the health secretary Jeremy Hunt announced £4bn for NHS IT, his focus was on new technologies such as smartphone apps to order repeat prescriptions rather than any urgent need to upgrade MRI, CT and other medical devices that rely on Windows XP.

The Government’s position is that the NHS was not specifically targeted in the cyber attack and that the Tories are putting £2bn into cyber security over the next year.

Theresa May said yesterday,

“It was clear warnings were given to hospital trusts but this is not something that was focused on attacking the NHS. 150 countries are affected. Europol says there are 200,000 victims across the world. Cyber security is an issue we need to address.

“That’s why the government, when we came into government in 2010, put money into cyber security. It’s why we are putting £2bn into cyber security over the coming year.”

Similarly Jeremy Hunt, health secretary, told the BBC that the attack affected international sites that have “some of the most modern IT systems”.

But the BBC’s World at One gave an example of how the NHS’s IT problems were affecting the lives of patients.

It cited the case of Claire Hobday whose radiography appointment for breast cancer at Lincoln County Hospital was cancelled on Friday (12 May 2017) and she still doesn’t know when she’ll receive treatment. Hobday said,

“I turned up by hospital transport for my second radiotherapy session, and I, along with many other patients – at least 20 other people were waiting – and they said the computers weren’t working.

“I do have to say the staff were very good and very quickly let us all know that they were having trouble with the computers. They didn’t want to misinform us, so they were going to come and talk to us all individually and hoped they would be able to rectify it.

“Within half an hour or so they came out and said, ‘We’re really sorry but it’s not going to get sorted. We’ll send you all home and give you a call on Sunday’ which didn’t happen.

“But they did ring me this morning (15 May 2017) to say it’s not happening today and if transport turns up please don’t get in it, and it’s very unlikely it will happen tomorrow.

“It is just a bit upsetting that other authorities have managed to sort it but Lincolnshire don’t seem to have been able to do that.”

United Lincolnshire Hospitals Trust told World at One it will be back in touch with patients once the IT system is restored.

Roy Grimshaw was in the middle of an MRI scan – after dye was injected into his blood stream – when the scan was stopped and he was asked to go back into the waiting room in his gown, with tubes attached to him, while staff investigated a computer problem. After half an hour he was told the NHS couldn’t continue the scan.

Budgets “not an issue”?

GP practices continue to be affected. Keiran Sharrock, GP and medical director of Lincolnshire local medical committee, said yesterday (15 Mat 2017) that systems were switched off in “many” practices.

“We still have no access to medical records of our patients. We are asking patients to only contact the surgery if they have an urgent or emergency problem that needs dealing with today. We have had to cancel routine follow-up appointments for chronic illnesses or long-term conditions.”

Martha Kearney – BBC World at One presenter – asked Sharrock about NHS Digital’s claim that trusts were sent details of a security patch that would have protected against the latest ransomware attack.

“I don’t think in general practice we received that information or warning. It would have been useful to have had it,” replied Sharrock.

Kearney – What about claims that budget is an aspect of this?

Sharrock: “Within general practice that doesn’t seem to be the reason this happened. Most general practices have people who can work on their IT and if we’d been given the patch and told it needed to be installed, most practices would have done that straight away.”

GCHQ

World at One also spoke to Ciaran Martin, Director General for Government and Industry Cyber Security. He is a member of the GCHQ board and its senior information risk owner. He used to be Constitution Director at the Cabinet Office and was lead negotiator for the Prime Minister in the run-up to the Edinburgh Agreement in 2012 on a referendum on independence for Scotland.

Kearney: Did your organisation issue any warnings to the health service?

Martin: “We issue warnings and advice on how to upgrade defences constantly. It’s generally public on our website and it’s made very widely available for all organisations. We are a national organisation protecting all critical sectors and indeed individuals and smaller organisations as well.”

Huge sums spent on paying ransoms?

Kearney asked Martin, “How much money are you able to estimate is being spent on ransoms as a result of these cyber attacks?” She added,

“I did hear one astonishing claim that in the first quarter of 2016 more money was spent in the USA on responding to ransomware than [was involved] in armed robberies for the whole of that year?”

Martin: “First let me make clear that we don’t condone the payment of ransoms and we strongly advise bodies not to pay and indeed in this case the Department of Health and the NHS have been very clear that affected bodies are not to pay ransoms. Across the globe there is, sadly, a market in ransomware. It is often the private sector in shapes and sizes that is targeted.”

Martha Kearney said the UK may be a target because it has a reputation for being willing to pay ransoms.

Martin, “We are no more or less a target for ransomware than anywhere else. It’s a global business; and it is a business. It is all about return on investment for the attacker.

“What’s important about that is that it’s all about upgrading defences because you can make the return on investment lower by making it harder to get in.”

If an attacker gets in the aim must be to make it harder to get anything useful, in which case the “margin on investment goes down”. He added,

“That’s absolutely vital to addressing this problem.”

Are governments at fault?

Martin,

“Vulnerabilities will always exist in software. Regardless of who finds the underlying software defect, it’s incumbent on the entire cyber security ecosystem – individual users, enterprises, governments or whoever – to work together to mitigate the harm.”

He added that there are “all sorts of vulnerabilities out there” including with open source software.

Windows XP

Computer Weekly reports – convincingly – that the government did not cancel an IT support contract for XP.

Officials decided to end a volume pricing deal with Microsoft which left NHS organisations to continue with XP support if they chose to do so. This was clearly communicated to affected departments.

Government technology specialists, reports Computer Weekly, did not want a volume pricing deal with Microsoft to be “comfort blanket” for organisations that – for their own local reasons – were avoiding an upgrade from XP.

Computer Weekly also reported that civil servants at the Government Digital Service expressed concerns about the lack of technical standards in the NHS to the then health minister George Freeman.

Freeman was a Department of Health minister until July 2016. In their meeting with Freeman, GDS officials emphasised the need for a central body to set technical standards across the NHS, with the authority to ensure trusts and other organisations followed best practice, and with the transparency to highlight those who chose not to.

A source told Computer Weekly that Jeremy Hunt was also briefed on the security risks that a lack of IT standards would create in a heavily-federated NHS but it was not considered a priority at that top political level.

“Hunt never grasped the problem,” said the source.

There are doubts, though, that Hunt could have forced trusts to implement national IT security standards even if he’d wanted to. NHS trusts are largely autonomous and GDS has no authority to mandate technical standards. It can only advise.

How our trust avoided being hit

A comment by an NHS IT lead on Digital Health’s website gives an insight into how his trust avoided being hit by the latest cyber attack. He said his trust had a “focus on perimeter security” and then worked back to the desktop.

“This is then followed up by lots of IG security pop ups and finally upgrading (painfully) windows XP to windows 7…” He added,

“NHS Digital have to take a lead on this and enforce standards for us locally to be able to use.”

He also suggests that NHS Digital sign a Microsoft Enrollment for Windows Azure [EWA] agreement as it is costly arranging such a deal locally.

“NHS Digital must for me, step in and provide another MS EWA as I am sure the disruption and political fall-out will cost more. Introduce an NHS MS EWA, introduce standards for software suppliers to comply with latest OS and then use CQC to rate organisations that do not upgrade.”

Another comment on the Digital Health website says that even those organisations that could afford the deployment costs of moving from XP to Windows 7 were left with the “professional” version, which “Microsoft has mercilessly withdrawn core management features from (e.g. group policy features)”.

The comment said,

“There are a lot of mercenary enterprises taking advantage of the NHS’s inability to mandate and coordinate the required policies on suppliers which would at least give the under-funded and under-appreciated IT functions the ability to provide the service they so desperately want to.”

A third comment said that security and configuration management in the NHS is “pretty poor”. He added, “I don’t know why some hospitals continue to invest in home-brew email systems when there is a national solution ready and paid for.

“In this recent attack most the organisations hit seem to use local email systems.”

He also criticised NHS organisations that:

Do not properly segment their networks

Allow workstations to openly and freely connect to each other in a trusted zone.

Do not have a proper patch / update management regime

Do not firewall legacy systems

Don’t have basic ACLs [access control lists)

Three lessons?

Give GDS the ability to mandate no matter how many Sir Humphreys would be upset at every challenge to their authority. Government would work better if consensus and complacency at the top of the civil service were regarded as vices, while constructive, effective and forceful criticism was regarded as a virtue.

Give the NHS money to spend on the basic essentials rather than nice-to-haves such as a paperless NHS, trust-wide wi-fi, smartphone apps, telehealth and new websites. The essentials include interoperability – so that, at the least, all trusts can send test results and other medical information electronically to GPs – and the upgrading of medical devices that rely on old operating systems.

Plan for making the NHS less dependent on monolithic Microsoft support charges.

On the first day of the attacks, Microsoft released an updated patch for older Windows systems “given the potential impact to customers and their businesses”.

Reuters reported last night that the share prices of cyber security companies “surged as investors bet on governments and corporations spending to upgrade their defences”.

Network company Cisco Systems also closed up (2.3%), perhaps because of a belief that it would benefit from more network spending driven by security needs.

Security company Avast said the countries worst affected by WannaCry – also known as Wannacypt – were Russia, Taiwan, Ukraine and India.

Comment

In a small room on the periphery of an IT conference on board a cruise ship , nearly all of the senior security people talked openly about how their board directors had paid ransoms to release their systems after denial of service attacks.

Some of the companies – most of them household names – had paid ransoms more than once.

Until then, I’d thought that some software suppliers tended to exaggerate IT security threats to help market their solutions and services.

But I was surprised at the high percentage of large companies in that small room that had paid ransoms. I no longer doubted that the threats – and the damage – were real and pervasive.

The discussions were not “off-the-record” but I didn’t report their comments at the time because that would doubtless have had job, and possibly even career ramifications, if I had quoted the security specialists by name.

Clearly ransomware is, as the GCHQ expert Kieran Martin put it, a global business but, as ransoms are paid secretly – there’s not a whisper in corporate annual accounts – the threat has not been taken seriously enough in some parts of the NHS.

The government’s main defence is that the NHS was not targeted specifically and that many private organisations were also affected.

But the NHS has responsibility for lives.

There may be a silver lining if a new government focuses NHS IT priorities on the basics – particularly the structural defects that make the health service an easy target for attackers.

What the NHS doesn’t need is a new set of politicians and senior civil servants who can’t help massaging their egos and trying to immortalise their legacy by announcing a patchwork of technological marvels that are fun to work on, and spend money on, but which gloss over the fact that much of the NHS is, with some notable exceptions, technologically backward.

How do you quit a £10bn IT contract in which suppliers have become limbs of your organisation?

Thanks to reports by the National Audit Office, the questioning of HMRC civil servants by the Public Accounts Committee, answers to FOI requests, and job adverts for senior HMRC posts, it’s possible to gain a rare insight into some of the sensitive commercial matters that are usually hidden when the end of a huge IT contract draws closer.

Partly because of the footnotes, the latest National Audit Office memorandum on Aspire (June 2016) has insights that make it one of the most incisive reports it has produced on the department’s IT in more than 30 years.

Soaring costs?

Aspire is the government’s biggest IT-related contract. Inland Revenue, as it was then, signed a 10-year outsourcing deal with HP (then EDS) in 1994, and transferred about 2,000 civil servants to the company. The deal was expected to cost £2bn over 10 years.

After Customs and Excise, with its Fujitsu VME-based IT estate, was merged with Inland Revenue’s in 2005, the cost of the total outsourcing deal with HP rose to about £3bn.

In 2004 most of the IT staff and HMRC’s assets transferred to Capgemini under a contract known as Aspire – Acquiring Strategic Partners for Inland Revenue. Aspire’s main subcontractors were Accenture and Fujitsu.

In subsequent years the cost of the 10-year Aspire contract shot up from about £3bn to about £8bn, yielding combined profits to Capgemini and Fujitsu of £1.2bn – more than double the £500m originally modelled. The profit margin was 15.8% compared to 12.3% originally modelled.

The National Audit Office said in a report on Aspire in 2014 that HMRC had not handled costs well. The NAO now estimates the cost of the extended (13-year) Aspire contract from 2004 to 2017 to be about £10bn.

Between April 2006 and March 2014, Aspire accounted for about 84% of HMRC’s total spending on technology.

Servers that typically cost £30,000 a year to run under Aspire – and there are about 4,000 servers at HMRC today – cost between £6,000 when run internally or as low as £4,000 a year in the commodity market.

How could the Aspire spend continue – and without a modernisation of the IT estate?

A good service

HMRC has been generally pleased with the quality of service from Aspire’s suppliers. Major systems have run with reducing amounts of downtime, and Capgemini has helped to build many new systems.

Where things have gone wrong, HMRC appears to have been as much to blame as the suppliers, partly because development work was hit routinely by a plethora of changes to the agreed specifications.

Arguably the two biggest problems with Aspire have been cost and lack of control. In the 10 years between 2004 and 2014 HMRC paid an average of £813m a year to Aspire’s suppliers. And it paid above market rates, according to the National Audit Office.

By the time the Cabinet Office’s Efficiency and Reform Group announced in 2014 that it was seeking to outlaw “bloated and wasteful” contracts, especially ones over £100m, HMRC had already taken steps to end Aspire.

It decided to break up its IT systems into chunks it could manage, control and, to some extent, commoditise.

HMRC’s senior managers expected an end to Aspire by 2017. But unexpected events at the Department for Work and Pensions put paid to HMRC’s plan …

Eight lessons from Aspire

1. Your IT may not be transformed by outsourcing. That may be the intention at the outset. But it didn’t happen when Somerset County Council outsourced IT to IBM in 2007 and it hasn’t happened in the 12 years of the Aspire contract.

“The Aspire contract has provided stable but expensive IT systems. The contract has contributed to HMRC’s technology becoming out of date,” said the National Audit Office in its June 2016 memorandum.

“Some of the technology we use is definitely past its best-before date.”

2. You won’t realise how little you understand your outsourced IT until you look at ending a long-term deal.

Confidently and openly answering a series of trenchant questions from MP Richard Bacon at last week’s Public Accounts Committee hearing, Dearnley said,

“It’s inevitable in any large black box outsourcing deal that there are details when you get right into it that you don’t know what’s going on. So yes, that’s what we’re learning.”

3. Suppliers may seem almost philanthropic in the run-up to a large outsourcing deal because they accept losses in the early part of a contract and make up for them in later years.

Dearnley said,

“What we are finding is that it [the break-up of Aspire] is forcing us to have much cleaner commercial conversations, not getting into some of the traditional arrangements.

” If I go away from Aspire and talk about the typical outsourcing industry of the last ten years most contracts lost money in their first few years for the supplier, and the supplier relied on making money in the later years of the contract.

“What that tended to mean was that as time moved on and you wanted to change the contract the supplier was not particularly incented to want to change it because they wanted to make their money at the end.

“What we’re focusing on is making sure the deals are clean, simple, really easy to understand, and don’t mortgage the future and that we can change as the environment evolves and the world changes.”

4. If you want deeper-than-expected costs in the later years of the contract, expect suppliers to make up the money in contract extensions.

Aspire was due originally to end in 2004. Then it went to 2017 after suppliers negotiated a three-year extension in 2007. Now completion of the exit is not planned until 2020, though some services have already been insourced and more will be over the next four years.

The National Audit Office’s June 2016 memorandum reveals how the contract extension from 2017 to 2020 came about.

HMRC had a non-binding agreement with Capgemini to exit from all Aspire services by June 2017. But HMRC had little choice but to soften this approach when Capgemini’s negotiating position was unexpectedly strengthened by IT deals being struck by other departments, particularly the Department for Work and Pensions.

Cabinet Office “red lines” said that government would not extend existing contracts without a compelling case. But the DWP found that instead of being able to exit a large hosting contract with HP in February 2015 it would have to consider a variation to the contract to enable a controlled disaggregation of services from February 2015 to February 2018.

When the DWP announced it was planning to extend its IT contract with its prime supplier HP Enterprise, HMRC was already in the process of agreeing with Capgemini the contract changes necessary to formalise their agreement to exit the Aspire deal in 2017.

“Capgemini considered that this extension, combined with other public bodies planning to extend their IT contracts, meant that the government had changed its position on extensions…

“Capgemini therefore pushed for contract extensions for some Aspire services as a condition of agreeing to other services being transferred to HMRC before the end of the Aspire contract,” said the NAO’s June 2016 memo.

5. It’s naïve to expect a large IT contract to transfer risks to the supplier (s).

At last week’s Public Accounts Committee hearing, Richard Bacon wanted to know if HMRC was taking on more risk by replacing the Aspire contract with a mixture of insourced IT and smaller commoditised contracts of no more than three years. Asked by Bacon whether HMRC is taking on more risk Dearnley replied,

“Yes and no – the risk was always ours. We had some of it backed of it backed off in contract. You can debate just how valuable contract backing off is relative to £500bn (the annual amount of tax collected). We will never back all of that off. We are much closer and much more on top of the service, the delivery, the projects and the ownership (in the gradual replacement of Aspire).”

6. Few organisations seeking to end monolithic outsourcing deals will have the transition overseen by someone as clear-sighted as Mark Dearnley.

His plain speaking appeared to impress even the chairman of the Public Accounts Committee Meg Hillier who asked him at the end of last week’s hearing,

Meg Hillier

“And what are your plans? One of the problems we often see in this Committee is people in very senior positions such as yours moving on very quickly. You have had a stellar career in the private sector…

“We hope that those negotiations move apace, because I suspect – and it is perhaps unfair to ask Mr Dearnley to comment – that to lose someone senior at this point would not be good news, given the challenges outlined in the [NAO] Report,” asked Hillier.

Dearnley then gave a slightly embarrassed look to Jon Thomson, HMRC’s chief executive and first permanent secretary. Dearnley replied,

“Jon and I are looking at each other because you are right. Technically my contract finishes at the end of September because I was here for three years. As Jon has just arrived, it is a conversation we have just begun.”

Hiller said,

“I would hope that you are going to have that conversation.”

Richard Bacon added,

“Get your skates on, Mr Thompson; we want to keep him.”

Thompson said,

“We all share the same aspiration. We are in negotiations.”

7. Be prepared to set aside millions of pounds – in addition to the normal costs of the outsourcing – on exiting.

HMRC is setting aside a gigantic sum – £700m. Around a quarter of this, said the National Audit Office, is accounted for by optimism bias. The estimates also include costs that HMRC will only incur if certain risks materialise.

In particular, HMRC has allowed around £100m for the costs of transferring data from servers currently managed by Aspire suppliers to providers that will make use of cloud computing technology. This cost will only be incurred if a second HMRC programme – which focuses on how HMRC exploits cloud technology – is unsuccessful.

Other costs of the so-called Columbus programme to replace Aspire include the cost of buying back assets, plus staff, consultancy and legal costs.

8. Projected savings from quitting a large contract could dwarf the exit costs.

HMRC has estimated the possible minimum and possible maximum savings from replacing Aspire. Even the minimum estimated savings would more than justify the organisational time involved and the challenge of building up new corporate cultures and skills in-house while keeping new and existing services running smoothly.

By replacing Aspire and improving the way IT services are organised and delivered, HMRC expects to save – each year – about £200m net, after taking into account the possible exit costs of £700m.

The National Audit Office said most of the savings are calculated on the basis of removing supplier profit margins and overheads on services being brought in-house, and reducing margins on other services from contract changes.

Even if the savings don’t materialise as expected and costs equal savings the benefits of exiting are clear. The alternative is allowing costs to continue to soar while you allow the future of your IT to be determined by what your major suppliers can or will do within reasonable cost limits.

Comment

HMRC is leading the way for other government departments, councils, the police and other public bodies.

Dearnley’s approach of breaking IT into smaller manageable chunks that can be managed, controlled, optimised and to some extent commoditised is impressive. On the cloud alone he is setting up an internal team of 50.

In the past, IT empires were built and retained by senior officials arguing that their systems were unique – too bespoke and complex to be broken up and treated as a commodity to be put into the cloud.

Dearnley’s evidence to the Public Accounts Committee exposes pompous justifications for the status quo as Sir Humphrey-speak.

Both Richard Feynman and Einstein said something to the effect that the more you understand a subject, the simpler you can explain it.

What Dearnley doesn’t yet understand about the HMRC systems that are still run by Capgemini he will doubtless find out about – provided his contract is renewed before September this year.

No doubt HMRC will continue to have its Parliamentary and other critics who will say that the risks of breaking up HMRC’s proven IT systems are a step too far. But the risks to the public purse of keeping the IT largely as it is are, arguably, much greater.

The Department for Work and Pensions has proved that it’s possible to innovate with the so-called digital solution for Universal Credit, without risking payments to vulnerable people.

If the agile approach to Universal Credit fails, existing benefit systems will continue, or a much more expensive waterfall development by the DWP’s major suppliers will probably be used instead.

It is possible to innovate cheaply without endangering existing tax collection and benefit systems.

Imagine the billions that could be saved if every central government department had a Dearnley on the board. HMRC has had decades of largely negative National Audit Office reports on its IT. Is that about to change?

“Good analysis of Aspire and outsourcing challenges. I have seen too many business cases in my career, be they a case for outsourcing, provider transition or insourcing.

“The common factor in all the proposals has been the absence of strategy end of life costs. In other words, the eventual transition costs that will be incurred when the sourcing strategy itself goes end of life. Such costs are never reflected in the original business case, even though their inevitability will have an important impact on the overall integrity of the sourcing strategy business case.

“My rule of thumb is to look for the end of strategy provision in the business case, prior to transition approval. If there is no provision for the eventual sourcing strategy change, then expect to pay dearly in the end.”

“Not all legacy benefit claimants will have moved to Universal Credit by the end of 2019.”

Assumptions are changing massively

“Universal Credit impacts depend on policy assumptions. For example, there was a £30 billion movement between 2011 and 2012 in the Department’s estimate of benefit spending, which went from a £19.7 billion cost to a £10.8 billion saving. The Department changed its methodology over this time but the size of this movement was largely due to changes in benefit entitlement and conditionality.”

Spending on existing UC systems questionable?

“HM Treasury has expressed concerns about the value for money of further investment in live service systems.”

What if the digital system fails?

“ Following the Major Projects Authority’s review, HM Treasury requested, in April 2014, the Department provide it with contingency plans should the digital service be delayed or fail. The Department is due to update HM Treasury at the end of November 2014 on its progress in developing such plans.”

The small print

You can claim Universal Credit if you:

– fall into one of the accepted groups

– do not own or part own your home;

– have a bank or building society account;

– do not live in temporary accommodation;

– are not pregnant or given birth within the last 15 weeks;

– are not a carer;

– are not self-employed;

– are unemployed or have household earnings of less than £330 per month if over 25 or £270 if under 25;

– are not challenging or awaiting a decision on Jobseekers Allowance, Housing Benefit, Employment and Support Allowance, Income Support or tax credits;

– are not staying away from your main home;

– are not responsible for a child or young person who is: adopted, fostered, being looked after, registered blind or have a disability benefit.

UC security

“In June 2012, CESG [the IT security arm of GCHQ) found that security had not been properly considered from the start. The [UC] systems were developed by multiple suppliers without an overarching plan for how it would work as a whole.

“A Red Team review concluded that the programme lacked appropriate detail around the security measures it needed because of: ineffective links between design and security teams; invalid assumptions being made by technical teams about what was acceptable to the business; a lack of balance between usability and security; poor understanding of dependencies between components; and little consideration of the technical implications of business design activities. The Department was unable to address these concerns prior to the reset in February 2013.”

A good approach to agile

“Since the reset (in 2013), the Department has concentrated its use of agile on developing digital service using a co-located, mixed-skill team. In June 2014, consultants commissioned by the programme board reported that a good agile approach is in place, and that a strong agile culture and organisation has been found inside the digital service.

“The consultants also found that a focus on long-term planning and effective communication of progress is required to drive scale and delivery, and that adjustments to the team structure will be required to ensure scalability…

“To remain on track, the Department will have 18 months to increase functionality to create a fully integrated service eventually capable of handling up to 10 million claimants. It will use an agile approach to do this. The Department plans to trial new systems in spring 2015, when it intends to start testing efficiencies and delivery against policy intent. It then plans to test increased capacity from November 2015.”

Not so agile

“…The Department will continue to use traditional approaches for buying and maintaining systems supplied commercially, such as existing Department‑wide systems and cloud hosting…”

Inaccurate payments

In April 2014, a software update [from a major supplier] created new problems for [UC] calculations and inaccuracy increased again. Between April and June 2014, over 10% of payments made to claimants were incorrect. This damaged staff and stakeholder confidence in the system and the Department had to reintroduce 100% manual checking of payments in June 2014 …

“… At present the Department is undertaking 100% checking of all payments before they go out.”

Better leadership

Confidence in the leadership team has improved despite continuing difficulties and the heavy demands on the programme director through 2014 caused by the limited availability of the senior responsible owner. A follow-up survey found a large increase in the number of staff expressing confidence in the actions of senior leadership (from 30% in 2013 to 75% in 2014) and an increase in the number of staff who feel that senior management encourages challenge and welcomes their suggestions (from 30% in 2013 to 70% in 2014).

Do major suppliers have too much control of DWP IT?

“The Department’s management of suppliers has been tested by the problems that emerged following an IT update in April 2014 designed to enhance live service. A supplier made significant changes in addition to the work that had been commissioned by the Department. It did not fully inform the Department of this, therefore the update was not adequately tested before it went live.

“The release caused an increase in payment errors described in Part Three. The supplier agreed to rectify the coding at its own expense. This delayed the next release by 2 weeks because of constraints on departmental and supplier resources, and the need to implement further controls recommended in a review commissioned by the Department after the April release.

“In November 2014, the Department’s internal audit reported that the programme has built technical capability to challenge, monitor and review supplier performance, including challenge of the management information provided.”

Manual interventions

“As planned, many processes in live service and digital service areas currently remain dependent on manual interventions.”

Last month he said in a Guardian comment that central government departments are “increasingly being held hostage by a handful of huge, often overseas, suppliers of customised all-or-nothing IT systems”.

Some senior officials are happy to be held captive.

“Unfortunately, hostage and hostage taker have become closely aligned in Stockholm-syndrome fashion.

“Many people in the public sector now design, procure, manage and evaluate these IT systems and ignore the exploitative nature of the relationship,” said Thompson.

The Stockholm syndrome is a psychological phenomenon in which hostages bond with their captors, sometimes to the point of defending them.

This month the Foreign and Commonwealth Office issued a pre-tender notice for Oracle ERP systems. Worth between £250m and £750m, the framework will be open to all central government departments, arms length bodies and agencies and will replace the current “Prism” contract with Capgemini.

It’s an old-style centralised framework that, says Chris Chant, former Executive Director at the Cabinet Office who was its head of G-Cloud, will have Oracle popping champagne corks.

Universal Credit’s Programme Director, Hilary Reynolds, has stood down after only four months in post. The Department for Work and Pensions says she has been replaced by the interim head of Universal Credit David Pitchford.

Last month the DWP said Pitchford was temporarily leading Universal Credit following the death of Philip Langsdale at Christmas. In November 2012 the DWP confirmed that the then Programme Director for UC, Malcolm Whitehouse, was stepping down – to be replaced by Hilary Reynolds. Steve Dover, the DWP’s Corporate Director, Universal Credit Programme Business, has also been replaced.

Edward Donald, the chief executive of Reading-based Royal Berkshire NHS Foundation Trust, is reported in the trust’s latest published board papers as saying that a Cerner go-live has been relatively successful.

“The Chief Executive emphasised that, despite these challenges, the ‘go-live’ at the Trust had been more successful than in other Cerner Millennium sites.”

A similar, stronger message appeared was in a separate board paper which was released under FOI. Royal Berkshire’s EPR [electronic patient record] Executive Governance Committee minutes said:

“… the Committee noted that the Trust’s launch had been considered to be the best implementation of Cerner Millennium yet and that despite staff misgivings, the project was progressing well. This positive message should also be disseminated…”

Some people, including those in the know, suspect Universal Credit will be a failed IT-based project, among them Francis Maude. As Cabinet Office minister Maude is ultimately responsible for the Major Projects Authority which has the job, among other things, of averting major project failures.

But Iain Duncan Smith, the DWP secretary of state, has an ace up his sleeve: the initial go-live of Universal Credit is so limited in scope that claims could be managed by hand, at least in part.

The DWP’s FAQs suggest that Universal Credit will handle, in its first phase due to start in October 2013, only new claims – and only those from the unemployed. Under such a light load the system is unlikely to fail, as any particularly complicated claims could managed clerically.

IT spend controls and moving government services and transactions onto digital platforms £0.5bn

Optimising the government’s property portfolio £0.6bn

Project savings £1.7bn

Reviewing performance of major government projects £1.2bn

Taking waste out of the construction process £0.4bn

Workforce savings £3.4bn

Reducing the size of the Civil Service £2.2bn

Increasing contributions to public sector pensions £1.1bn

Comment

It’s good news and the figures don’t seem plucked out of thin air which sometimes happens when central government announces savings.

The big question is whether the savings are sustainable. Maude has inspired the Cabinet Office’s Efficiency and Reform Group to be motivated and hard-working. But bringing about long-term change in Whitehall – as opposed to restricting consultancy contracts and cutting annual costs of supplier contracts by reducing what’s delivered – is like peddling uphill. How long can you do it without losing motivation and energy? It’s not just parts of the civil service that are resistant to the savings agenda – it is also some IT suppliers, according to Government Computing.

It’s likely that only profound changes in central government operations and working practices will outlast the next general election. At the moment the civil service is like a rubber band that has been stretched a little. It wants to return to its standard shape, which the next government may allow it to do.

“It is not fully clear how ERG intends to make the reforms necessary to secure enough savings over the rest of the spending review. ERG has yet to translate its ambition for saving £20 billion by 2014-15 into more detailed plans.

“ERG has made progress in developing strategies across its wide range of responsibilities, and is focusing on core activities likely to produce savings. However, until recently ERG’s focus has mainly been on the savings themselves, with less emphasis on delivery of the longer-term changes and improvement in efficiency necessary to make them sustainable.”

And this:

“Departments have still tended to lack a clear strategic vision of what they are to do, what they are not, and the most cost-effective way of delivering it. Much of departments’ 2014-15 savings are likely to come from further reductions in staff. Sustainability of these savings will depend on developing skills and working in new ways while maintaining staff motivation and engagement.”

But the NAO was generally positive about the ERG’s contribution to savings.

Francis Maude laments civil service inaction over a cabinet committee mandate for centralising procurement. It “corrodes trust in the system”.

Gus O’Donnell, the former head of the civil service, confronted Francis Maude, the Cabinet Office minister in charge of civil service reform, on BBC R4’s In Defence of Bureaucracy last week.

The irreconcilable differences between O’Donnell and Maude were obvious and may be a sign of how difficult it will be for the minister to make lasting and deep cuts in IT-based spending, simplify overly complex processes, and reduce duplication.

O’Donnell spoke of the virtues of the civil service that have served the country for more than a century, particularly its impartiality. But Maude said the “value of impartiality can sometimes turn into indifference”.

O’Donnell said: “We need to be proud and passionate about the public sector ethos…” and confronted Maude for saying things about the civil service “that are not always totally positive”.

Indeed Maude said,

“Most of the civil servants I deal with are terrific, work hard and do really good work. It is not universal.”

O’Donnell then confronted Maude for saying that ministers in this and previous government have too often found that decisions they have made don’t get implemented. Is that the fault of ministers or civil servants, asked O’Donnell.

“I’d be astonished if it’s ministers,” said Maude who added,

“ I had a meeting the other day around this table … where a decision was made by a cabinet committee, more than a year ago, on the centralising of procurement. It had happened to a very minimal extent.

“If there is a problem with it, that can be flagged up and tell us. Just to go away and not do it is unacceptable … it is protection of the system. This is the speaking truth unto power thing. What is unacceptable is not to challenge a ministerial position but then not to implement it. That is what corrodes trust in the system.”

About £230bn a year – nearly a third of everything government spends – is on public sector procurement. In 2010, Nigel Smith, then CEO of the Office of Government Commerce, spoke to the “Smartgov” conference about the need for major reform in the way government buys things.

He spoke of the need for re-useable software, open source if possible, and said that suppliers regularly use fragmentation within government to maximise profits. “This has got to change,” says Smith.

He said there were 44,000 buying organisations in the public sector which buy “roughly the same things, or similar things, in basic commodity categories” such as IT and office supplies.

Massive duplication

He spoke of “massive duplication”, high tendering costs on suppliers, and a loss of value due to a lack of true aggregation. He said suppliers had little forward look of opportunities to tender and offer innovative solutions for required outcomes.

“The opportunity to improve outcomes and efficiency gains should not be constrained by contract terms and innovations should not stop at the point of contract signature.

“If we miss this opportunity [to reform] we need shooting.”

So it is clear procurement [and much else] needs reforming. But in the R4 broadcast last week (which unfortunately is no longer available) O’Donnell portrays a civil service that is almost as good as it gets.

He speaks of its permanence in contrast to transient ministers. His broadcast attacks the US system of government in which public service leaders change every time there is a new government. The suggestion is that the US system is like a ship that veers crazily from side to side, as one set of idealogues take the captain’s wheel from another. O’Donnell implies that in the UK civil service stability lasts for decades, even centuries.

The virtues he most admires in the UK civil service are what he calls the 4 “Ps” – Pace, Passion, Professionalism and Pride. His broadcast speaks of the UK civil service as a responsible, effective, continual and reliable form of administration.

Comment

O’Donnell’s most striking criticism of Maude’s intended reforms of central government goes to the heart of what Maude is trying to do: change what is happening in departments.

When, in the broadcast, Maude suggested that civil servants were not challenging ministerial decisions and were not implementing them either, O’Donnell replied that Maude was “overstating the issue”. But O’Donnell went much further and added a comment that implied Maude should leave departments alone.

O’Donnell said

“These sorts of problems mainly arise when ministers at the centre of government want to impose their will on secretaries of state who want to be left alone to run their departments as they see fit.”

Is O’Donnell giving permanent secretaries and departmental ministers his support if they continue to snub Cabinet Office reforms?

It is hardly surprising Maude is a bundle of frustrations. Central government administration cannot be reformed if departments have the autonomy to refuse to implement decisions of a cabinet committee.

It is ironic that cabinet committee decisions are binding on the entire Cabinet – but not, it seems, on departments.

Perhaps the gap between political and civil service leaders at the centre, and senior civil servants in departments, is as irreconcilable as ever. Today’s UK civil service is more than ever “Yes Minister” without the jokes. Should this be the dysfunctional basis for coalition reforms of central government?

Sir Jeremy Heywood, the current Cabinet Secretary, is perhaps a little more Maude-friendly than O’Donnell when he says in the R4 broadcast,

“There are lots of things we need to do better. Too many projects that we undertake are delayed, are over budget and don’t deliver on all the benefits that were promised. We are not as digital as the most effective private sector organisations are. We have been slow to embrace the digital revolution.”

Fine words. But if a cabinet committee’s decision on centralising procurement has little effect, how is Sir Jeremy going to convert his words into action? Or Francis Maude’s?

Last month he said in a Guardian comment that central government departments are “increasingly being held hostage by a handful of huge, often overseas, suppliers of customised all-or-nothing IT systems”.

Some senior officials are happy to be held captive.

“Unfortunately, hostage and hostage taker have become closely aligned in Stockholm-syndrome fashion.

“Many people in the public sector now design, procure, manage and evaluate these IT systems and ignore the exploitative nature of the relationship,” said Thompson.

The Stockholm syndrome is a psychological phenomenon in which hostages bond with their captors, sometimes to the point of defending them.

This month the Foreign and Commonwealth Office issued a pre-tender notice for Oracle ERP systems. Worth between £250m and £750m, the framework will be open to all central government departments, arms length bodies and agencies and will replace the current “Prism” contract with Capgemini.

It’s an old-style centralised framework that, says Chris Chant, former Executive Director at the Cabinet Office who was its head of G-Cloud, will have Oracle popping champagne corks.

In the same vein, Georgina O’Toole at Techmarketview says that central departments are staying with big Oracle ERP systems.

She said the framework “appears to support departments continuing to run Oracle or, indeed, choosing to move to Oracle”. This is “surprising as when the Shared Services strategy was published in December, the Cabinet Office continued to highlight the cost of running Oracle ERP…”

She said the framework sends a message that the Cabinet Office has had to accept that some departments and agencies are not going to move away from Oracle or SAP.

“The best the Cabinet Office can do is ensure they are getting the best deal. There’s no doubt there will be plenty of SIs looking to protect their existing relationships by getting a place on the FCO framework.”

G-Cloud and open standards?

Is the FCO framework another sign that the Cabinet Office, in trying to cut the high costs of central government IT, cannot break the bond – the willing hostage-captive relationship – between big suppliers and central departments?

The framework appears to bypass G-Cloud in which departments are not tied to a particular company. It also appears to cock a snook at the idea of replacing proprietary with open systems.

– Administrative IT systems, which cost 1% of GDP, have become a byword for complexity, opacity, expense and poor delivery.

– Departments can break free from the straitjackets of their existing systems and begin to procure technology in smaller, standardised building blocks, creating demand for standard components across government. This will provide opportunities for less expensive SMEs and stimulate the local economy.

– Open, interoperable platforms for government IT will help avoid the mass duplication of proprietary processes and systems across departments that currently waste billions.

– A negative reaction to the government’s open standards policy from some monopolistic suppliers is not surprising.

Comment

It seems that Oracle and the FCO have convinced each other that the new framework represents change. But, as Chris Chant says, it is more of the same.

If there is an exit door from captivity the big suppliers are ushering senior officials in departments towards it saying politely “you first” and the officials are equally deferential saying “no – you first”. In the end they agree to stay where they are.

Will Thompson’s comments make any difference?

Some top officials in central departments – highly respected individuals – will dismiss Thompson’s criticisms of government IT because they believe the civil service and its experienced suppliers are doing a good job: they are keeping systems of labyrinthine complexity running unnoticeably smoothly for the millions of people who rely on government IT.

Those officials don’t want to mess too much with existing systems and big IT contracts in case government systems start to become unreliable which, they argue, could badly affect millions of people.

These same officials will advocate reform of systems of lesser importance such as those involving government websites; and they will champion agile and IT-related reforms that don’t affect them or their big IT contracts.

In a sense they are right. But they ignore the fact that government IT costs much too much. They may also exaggerate the extent to which government IT works well. Indeed they are too quick to dismiss criticisms of government IT including those made by the National Audit Office.

In numerous reports the NAO has drawn attention to weaknesses such as the lack of reliable management information and unacceptable levels of fraud and internal error in the big departments. The NAO has qualified the accounts of the two biggest non-military IT spending departments, the DWP and HMRC.

Ostensible reformers are barriers to genuine change. They need to be replaced with fresh-thinking civil servants who recognise the impossibility of living with mega IT contracts.

A report on Service Birmingham – Capita’s joint venture with Birmingham City Council – shows that the deal has been largely successful so far but that trust and relationships may be breaking down in some areas.

The “High-Level” review of Service Birmingham by the Best Practice Group could be read in two ways: as a qualified endorsement of the deal so far, or as a warning that a deteriorating relationship in some areas could end up, in years to come, as a legal dispute.

The report’s authors suggest that the council and Capita have little choice but to make improvements given that the contract lasts another nine years. They say:

“Given the fact that the commercial partnership has a further nine years to operate, there is an inherent risk that unless a core focus for both parties is re-established, the commercial trust between BCC [Birmingham City Council and SB [Service Birmingham] will continue to deteriorate.

“Neither party will benefit from the relationship if this situation is permitted to manifest itself.”

In another part of its report the Best Practice Group says:

“BCC and SB seemed to overcome early challenges in their relationship by having a ‘great common cause’. The Council entered into this relationship in 2006 because it had the foresight to realise it had to fundamentally transform how it operated in order to improve social outcomes for its population…

“Now the transformation has largely been successful and the initiatives are almost complete, the level of innovation seems to have stalled and the relationship has deteriorated. Somewhere in the fire-fighting, both BCC and SB have lost sight of the next ‘great common cause’ – the fact that the Council needs to further reduce the cost of ICT service delivery by £20m per annum. This will require some significant ‘outside the box’ thinking about how to achieve from both BCC and SB.”

Below are verbatim extracts from the Best Practice Group’s report which highlight some of the lessons arising from of the joint venture so far. The sub-headings (in italics) are mine.

Extracts from Best Practice Group’s report:

Service Birmingham charges a fee even when the council implements services outside the joint venture – poor value and reputedly poor practice?

“SB has an on-going contractual duty to ensure it provides independently benchmarked best value in the services it delivers to BCC [Birmingham City Council]. As part of these arrangements, BCC can request specific third party services (outside SB’s own delivery capability) with SB applying a fee for ‘contract management’.

“However, these situations vary considerably, raising the question of how to maximise value. The contract management fee would be considered high value when BCC gives SB a service outcome it wants to achieve, and SB researches the market, provides options and recommendations to BCC, sources the best value vendor, and ensures the solution is implemented and the business outcomes achieved.

“In other situations, BCC already knows the outcome to be achieved, how to achieve it and who the best value vendor is, and can implement the solution itself. However, the same contract management percentage still applies to these cases. This causes resentment for the service area involved because they cannot see how SB has added to the process, and in real terms, is perceived by BCC as very poor value. Although the sums involved are minimal compared with the relationship’s overall cost, it is highly visible as an area of poor value and reputedly bad practice, and needs to be realigned.”

Service Birmingham needs to make a significant return for its shareholders

“Given the relationship challenges between BCC and SB, there are a couple of fundamental points to address, namely that: (a) certain individuals within the Council need to understand that SB is not a social enterprise, a public sector mutual, or a charity, and needs to make a significant return on its capital for its shareholders, and (b) SB needs to understand that the Council is in a significantly deteriorating financial position due to Government cutbacks.”

SB drops its prices when challenged

“There have been statements made by a number of the officers in the Council that SB drops its prices when challenged, especially when the Council has investigated alternative industry offerings. SB have suggested that it is only when the challenge arises that initial data is clarified and therefore, more focused pricing can be provided.”

A hardened commercial stance in some circumstances?

“… these obvious and immediate savings are now being met with a hardened commercial stance for anything that falls outside of the core deliverables by SB.”

The cloud imposes hidden costs for SB

“Regardless of whether a scale of mark-up can be achieved, one issue that is clear from the interviews undertaken is that SB/BCC needs to educate the BCC service areas at all levels around what the contract management mark-up actually buys for the Council from SB. At present, for example, there is a lack of understanding within BCC service areas that having ‘cloud’ delivered solutions within the overall portfolio does still incur hidden costs for SB in supporting the overall infrastructure and managing the intermediate fault–reporting service.”

Staff survey on SB – mixed results

“With regards to the survey, 63% stated that they talk ‘positively’ about SB to their colleagues. Slightly less, 59%, believe SB understands the requirements and support needed to deliver the Council’s services. However, when asked if they would naturally think to contact SB for help and advice in situations where they were thinking about undertaking new ICT related work, only 33% of the Council respondents said that they would…

“When asked the direct question of how satisfied they were overall with the service delivered by SB, only 15% of the respondents felt that the service was less than satisfactory. However, only 10% believed that it was excellent with 39% rating it as satisfactory and 36% rating the service received as good.”

Project concerns

“There is a feeling which was voiced by several interviewees from the Council that project implementation often runs behind schedule and ultimately it is the ‘loudest project to shout’ which will then have the scarce resources allocated to it at the cost of other projects.”

Lack of commercial trust

“…there are elements of the KPI [key performance indicator] reporting received from SB that BCC need clarity on . This, coupled with the general lack of commercial trust between the parties and the fact that BCC have shown that SB have reported some data incorrectly (after discussion around interpretation), means that the KPIs are not fully aligned to the business outcomes BCC now needs to achieve in the current financial climate.”

Seeds of a possible legal dispute in future years between the two sides?

“One point that should be highlighted is that we believe there is a misalignment between both parties view of what partnership working actually entails. From the perspective of some service areas within BCC, they view certain individuals within SB as uncooperative. In a similar vein, there are certain individuals within SB who view specific BCC staff also as uncooperative. It should be noted that these individuals within both BCC and SB are in the minority.

“However, such un-cooperation is manifesting itself into a perception of a lack of commercial trust in both camps. Some BCC individuals are not really taking into account, or understanding, that SB is a commercial organisation that has a majority shareholding by a publically listed company. Its commercial shareholders need to see financial returns from SB that increase annually…

“In the early stages, the working relationship was put firmly on the rails by having a ‘great common cause’. The transformation requirements of BCC were so fundamental, it seems many differences of opinion were set aside and both parties worked very hard to overcome the obstacles in ensuring the transformation was successful. Largely, that was achieved. Now that the original transformation process has almost all been completed, the parties working relationship seems to have deteriorated in certain instances. This pattern of behaviour is normal in most strategic vendor relationships.”

SB more expensive than the average in certain areas?

“SB appear to be significantly more expensive than average in the areas of voice, data and converged service provision (KPI-17). The most significant of the three costs provided is the provision of Data services where SB are the worst value of all of the respondents in the SOCITM survey with a cost of £227 per data outlet (capital + support) compared to a median of £118. At the time of writing this report, no clarification had been provided as to the reasons for the significant difference between the SB provided cost and the survey median. When KPI-17 is reviewed as a cost per user, SB fairs much better across the service types. It has a cost of £321 per user compared to a median of £290 per user. However if you consider that this £31 per user per year, it actually represents over £600k per annum above average.”

Council concerns over SAP work going abroad

“Different parties within BCC perceived that in the interest of cost savings, SB was passing some work on SAP projects to an off-shore organisation, rather than using the UK workforce. It should be noted that the contract allows for the off-shoring of SAP work, but only where such work does not adversely impact jobs in the UK.

“A high level review of the SAP project work has identified that SAP work has only been off-shored when the UK workforce does not have the required expertise. In addition, we requested specific evidence from individuals to support their view that work was being off-shored that could have been undertaken by the UK workforce, but this could not be provided.”

The Council was paying for unused phone lines

“… Ultimately, the Council kept receiving invoices from the line provider for what were essentially unused telephone lines. The process ceased promptly after BCC and SB addressed the escalation of the issue.”

Stagnating innovation could widen the divide between the two sides

“It is clear that both parties will continue to feel significant frustration until they can resolve how to share the innovation process, provide resources to help the generation of sound business cases and provide formalised and comprehensive feedback to allow for the implementation of suggestions. These suggestions need to become acceptable to the Council as realistic deliverable solutions. If this does not happen, then innovation between the partners will continue to stagnate, driving a widening divide between the organisations.”

KPIs not always useful?

In the case of the BCC and SB agreement, despite an abundance of KPIs being in place, the Council perceives the contract could be better aligned in order to maximise the behaviours from SB that it needs.

Comment:

The report gives the impression that those running the joint venture must overcome the many problems because the contract still has nine years left to run. Both sides, it seems, are locked into the relationship. In some areas it works. In others it doesn’t.

Capita, clearly, has been trying hard to make the relationship work. Some within the council have too. Some are not so enthusiastic and have been “making noise” according to the report’s authors. Do those making a noise have a point, or are they simply making trouble against the joint venture? The report suggests removing those making a noise. But will that remove some of those who are providing an independent challenge?

So far the relationship has been largely successful; and the survey of staff is generally positive. But there are signs of serious trouble. Innovation is stagnating, the council’s finances are deteriorating and Capita needs to make a profit from the venture. Are these fundamental incompatibilities? Will the relationship really last another nine years, especially if there is more political change within the council?

The civil service reform plan is to be published this afternoon, at 3.30pm. The Cabinet Office minister Francis Maude and Sir Bob Kerslake, the head of the civil service, write about it in today’s Daily Telegraph.

They say that the plan will help deliver a civil service culture that is “pacier, more innovative, less hierarchical and focused on outcomes not process”. They write:

“We also need sharper accountability, in particular from permanent secretaries and those leading major projects, and we need more digital services, better data and management information and for policy and implementation to be linked seamlessly together…”

In the same edition of the Telegraph Andrew Haldenby, director of the independent think tank Reform, criticises the reform plan which, although not yet published, has been foretold in newspapers including the Financial Times yesterday.

He said the reform plan will “leave the flawed structures of Whitehall in place and do no more than propose some minor variations on a theme”.

We await publication of the paper before we judge it. We hope it will, at least, require the publication of “Gateway” review reports on the progress or otherwise of major IT-enabled projects.

Without timely publication of the Major Projects Authority’s Gateway reports, MPs and the public will continue to learn of failed schemes such as the NPfIT and Firecontrol when it is too late to do much about any rescue; and without contemporaneous publication there will continue to be no accountability for the rigour or otherwise of the reviews, or their outcome.

US federal chief information officer (CIO) Steven VanRoekel is adopting a novel approach to Government IT: innovate with less.

In a piece written for the The White House’s Office of Management and Budget, VanRoekel says he has learned lessons from the private sector on helping government learn private sector best practices, and in particular, how to buy IT.

“These agency successes are a good start, but we need to do more. We still face an unacceptable amount of duplicative and low-value IT. That is why (we are)…. launching a new tool for agencies to use to assess the current maturity of their IT portfolio management process and make decisions on eliminating duplication across their organisations.

“This tool – which we’re calling “PortfolioStat” – gives agencies tools to look into the darkest corners of the organisation to find wasteful and duplicative IT investments.”

VanRoekel says the efforts are paying off.

“Over the past three years, the Federal Government has done much in adopting private sector practices to triage broken IT investments, reduce the IT infrastructure footprint, and innovate with less.

“For example, at today’s President’s Management Advisory Board meeting, the Department of the Interior showed that by modernising IT infrastructure and aligning resources to improve customer service, they will realise $100 million in savings from 2016 to 2020, for a cumulative total of $500 million. To date, there have been $11 million in cost avoidance by updating the scope of projects and $2.2 million in redirection of funds due to IT Spending Reviews.”

Over the next year, says VanRoekel, agency Deputy Secretaries or Chief Operating Officers (COO), must lead agency-wide IT portfolio reviews within their respective organisations, working in coordination with Chief Information Officers, Chief Financial Officers, and Chief Acquisition Officers.

The level of executive sponsorship, VanRoekel says, “is a direct reflection of our belief that IT is a strategic asset that can dramatically improve productivity and the way agencies execute their mission. By June 15, agencies will complete a high-level survey of agency IT portfolio status and a bureau level information request for specific types of commodity IT investments that will used to baseline the maturity of agency portfolios.

“Then, using the portfolio data gathered combined with other data available at the bureau and agency level, COOs will establish targets for commodity IT spending reductions and deadlines for meeting those targets; illustrate how investments within the IT portfolio align with the agency’s mission and business functions; establish criteria for identifying wasteful, “low-value,” or duplicative investments; and improve governance and program management utilising best practices and, where possible, benchmarks.

“Though this process is new for Federal IT, leading private sector companies have been leveraging improved IT portfolio management tools for some time. Private sector organisations that waste millions on duplicative and low value IT are destined to disappear. Competitive pressure has forced change and efficiency.

“Though there are differences between public and private sector work, my time in both makes me extremely confident that the best practices from a well-run company can be applied effectively to the Federal Government.”

According to Nextgov.com, which reported VanRoekel’s attendance at the FOSE 2012 conference on government technology, US federal IT spending grew about 7 percent every year during the decade prior to 2009.

Since President Obama took office amid the 2008 financial crisis, federal IT spending has leveled off at about $80 billion annually.

“I’m proud to say that in the last three years on that flat or declining budget we’ve actually innovated a lot,” VanRoekel said.

Homeland Security Department CIO Richard Spires imposed a 10 percent cut in operations and maintenance spending across the department in the administration’s fiscal 2013 budget request to free up money for new initiatives.

VanRoekel said initiatives to consolidate federal data centres, shift more of the IT budget to cloud computing and a “maniacal focus on rooting out duplication” were allowing agencies to invest in new technologies.

The US Defence Department’s 2013 IT budget request, for instance, is down more than $1 billion, largely because the department cut costs associated with maintaining data centres.

PortfolioStat is an opportunity for CIOs and chief operating officers to look horizontally across an agency and identify places where services can more easily be shared,VanRoekel said.

According to Nextgov’s report, the U.S. Agriculture Department has moved from more than 20 separate email systems to only one cloud-based system during the past year and recently consolidated more than 700 mobile phone contracts into three blanket purchase agreements.